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1  Conference  Description 


The  Thirteenth  Annual  Working  Conference  on  Database  Security  was  held  in  conjunction  with  the  annual  meeting 
of  IFIP  Working  Group  11.3  in  Seattle,  Washington  on  July  26-28, 1999.  The  purposes  of  the  three-day  conference 
were:  (i)  To  provide  a  forum  for  the  international  computer  security  community  to  discuss  the  current  state  of 
research  and  practice  in  database  and  information  systems  security,  (ii)  To  enable  participants  to  expand  their 
knowledge  in  security  through  personal  contact  with  other  researchers  and  practitioners  in  the  field,  and  (iii) 
To  disseminate  widely  the  results  of  the  conference  and  accompanying  discussions,  including  original  research, 
practical  experiences  and  innovative  ideas  in  database  and  information  systems  security. 

A  priority  at  the  1999  IFIP  WG11.3  Conference  was  to  investigate  the  applications  of  database  security 
research  in  the  Critical  Infrastructure  Protection  (CIP)  initiative.  Other  research  questions  addressed  at  the 
conference  were: 

1.  What  are  good  techniques  for  describing  the  various  factors  involved  in  designing  secure  database  systems, 
such  as: 

(a)  Security  and  privacy  policies  or  policy  requirements 

(b)  Threats  to  security 

(c)  Costs/benefits  of  meeting  security  and  privacy  requirements  (or  risks  of  not  meeting  them)? 

What  relationships  should  exist  between  these  descriptions  and  those  already  associated  with  database 
systems,  such  as  queries,  views  and  schemes? 

2.  What  are  good  methodologies  for: 

(a)  Obtaining  these  descriptions 

(b)  Using  them  in  developing  secure  database  systems  (including  associated  applications) 

(c)  Determining  with  high  assurance  that  the  implemented  systems  are  consistent  with  their  descriptions 
and  specifications? 

3.  What  are  the  security  issues  associated  with  the  organization  of  components  (architectures)  of  database 
systems,  such  as  networked  systems  (e.g.,  WWW),  client/server  architectures,  and  layered/modular  inter¬ 
nal  system  architectures?  How  does  the  integration,  interconnection,  and  interpretation  of  heterogeneous 
database  systems  impact  the  security  of  components  and  the  overall  system? 

4.  What  are  the  interactions  and  tradeoffs  between  functionality,  performance  and  security  in  various  tech¬ 
nical  features  of  database  systems,  such  as  query  processing,  data/object  model,  integrity  maintenance, 
concurrency  control /recovery  facilities,  and  inference/deduction  capabilities? 

5.  What  information  can  be  maintained  or  generated  by  a  database  system  to  assist  in  maintaining  security 
or  privacy,  and  what  are  good  techniques  for  using  such  information,  either  at  run-time  or  in  subsequent 
analysis,  to  detect  and  discourage  security  violations? 

6.  What  are  the  related  security  issues  in  applications  areas?  These  areas  include:  Accounting  and  Audit, 
Authorization  and  Access  Control,  Authentication,  Computer  Security  and  Public  Policy,  Data/ System 
Integrity,  Electronic  Commerce  and  Virtual  Banking,  Information  Warfare,  WWW  and  Internet  Security, 
Intellectual  Property  Protection,  Intrusion  Detection,  Privacy  and  Anonymity,  Security  for  Digital  Libraries, 
Security  in  Workflow  Systems,  Security  in  Mobile  and  Wireless  Systems  and  Security  Management. 

2  Conference  Program 

The  strong  conference  program  included  nineteen  papers  organized  around  eight  sessions:  Intrusion  Detection, 
Role  Based  Access  Control,  Policy/Modeling,  Workflow  Systems,  Data  Mining,  Multilevel  Security,  Temporal 
Authorization  Models,  and  Object-Oriented  Databases. 
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The  keynote  lecture  on  Information  Security  was  delivered  by  Howard  Schmidt,  Director  of  Information 
Security,  Microsoft  Corporation.  Catherine  McCollum  from  DARPA  presented  an  invited  lecture  on  Cyber 
Control  and  Command  Research. 

Two  panels,  one  on  Critical  Infrastructure  Protection  (CIP),  and  the  other  on  Intrusion  Detection  were 
organized.  Participants  in  the  CIP  Panel  included  Terry  Mayfield  (IDA),  Donald  Marks  (NIST),  Thomas  Harper 
(Pacific  Northwest  National  Laboratory)  and  William  Maconachy  (NSA).  The  panel  on  Intrusion  Detection 
included  T.Y.  Lin  (San  Jose  State),  Chris  Clifton  (MITRE)  and  M.Y.  Huang  and  Shayne  Pitcock  (Boeing). 

A  copy  of  the  conference  proceedings  is  included  as  an  appendix  to  this  report.  Revised  versions  of  the 
papers  presented  at  the  conference  and  the  minutes  of  the  panel  discussions  will  be  published  as  a  book:  Re¬ 
search  Advances  in  Database  and  Information  Systems  Security,  V.  Atluri  and  J.  Hale  (Eds.),  Kluwer,  Norwell, 
Massachusetts,  2000. 


3  Conference  Participants 


Forty-four  individuals,  ranging  from  graduate  students  to  senior  researchers,  attended  the  conference.  Thirty-one 
participants  were  from  the  United  States.  The  others  were  from  Australia  (1),  Canada  (1),  Germany  (2),  Greece 
(1),  Italy  (2),  Japan  (2),  The  Netherlands  (1),  South  Africa  (1)  and  the  United  Kingdom  (2). 

The  conference  program  and  the  accompanying  discussions  of  security  issues  were  enhanced  by  a  good  mix  of 
researchers  from  academia,  industry,  research  organizations  and  the  military.  In  addition  to  twenty-six  university 
researchers  (including  three  graduate  students) ,  there  were  six  industry  participants  (two  from  Boeing  and  one 
each  from  Microsoft,  Hitachi,  Reliable  Software  Technologies  and  CignaCom  Solutions),  six  from  research  organi¬ 
zations  (five  from  MITRE  and  one  from  SRI  International),  and  six  from  the  U.S.  Government,  federal  agencies 
or  the  military:  one  each  from  the  NSA,  DARPA,  NIST,  Institute  for  Defense  Analyses  (IDA),  Pacific  Northwest 
Laboratory,  and  NRL. 


4  Travel  Support 


The  ONR  grant  subsidized  the  travel  expenses  of  eighteen  conference  participants,  most  of  them  were  faculty 
members  or  students  who  might  not  have  been  able  to  attend  the  conference  without  travel  support.  To  increase 
student  participation  and  foster  interaction  with  senior  researchers,  the  grant  covered  all  the  expenses  incurred 
by  the  three  graduate  student  attendees. 
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